Configure Permissions for Terminal Services Connections

Updated: March 10, 2010

Applies To: Windows Server 2008

Terminal Services permissions are used to control which users or groups can perform particular tasks on the terminal server, such as logging on to the terminal server or remotely controlling a user session. You can manage permissions on a per connection basis in Terminal Services Configuration.

Note

To control who can connect remotely to the terminal server, it is recommended that you modify the Remote Desktop Users group. For more information about modifying the Remote Desktop Users group, see Configure the Remote Desktop Users Group.

The connection permissions that are set in Terminal Services Configuration also determine the actions that a given user can perform in Terminal Services Manager. For example, a user must have at least the Remote Control special access permission in order to remotely control a user session by using Terminal Services Manager.

The following is a list of the permissions that you can set in Terminal Services Configuration and the capability that each permission provides.

Permission

Capability

Query Information

Query sessions and terminal servers for information

Set Information

Configure properties of the connection

Remote Control

View or actively control another user's session

Logon

Log on to a session on the terminal server

Logoff

Log off a user from a session

Message

Send a message to a user session

Connect

Connect to another user session

Disconnect

Disconnect a user session

Virtual Channels

Use a virtual channel in a session, which provides local device and resource redirection

By default, the Remote Desktop Users group is assigned the following permissions: Query Information, Logon, Message, and Connect.

There are three standard preconfigured sets of permissions:

Full Control

User Access

Guest Access

The following is a list of permissions that are associated with each of the standard preconfigured sets of permissions.

Use the following procedure to configure permissions for a connection.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure permissions for a connection

Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.

Under Connections, right-click the name of the connection, and then click Properties.

In the Properties dialog box for the connection, click the Security tab.

You might receive one of the following informational messages:

A message that recommends that you control access to the terminal server by using the Remote Desktop Users group.

A message telling you that the permission settings are read-only because the Do not allow local administrators to customize permissions Group Policy setting has been enabled and has been applied to the terminal server.

Click OK.

Configure the permissions as appropriate for your environment and then click OK.

You can prevent administrators from changing the permissions for a connection by applying the Do not allow local administrators to customize permissions Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).